ASP.NET是基于角色的安全性真正的基于角色的访问控制系统？ [英] Is ASP.NET role based security a true role based access control system?

问题描述

这是我从<读href=\"https://docs.google.com/viewer?a=v&q=cache%3aC42MYHJHjgsJ%3aciteseerx.ist.psu.edu/viewdoc/download?doi%3D10.1.1.84.9866%26rep%3Drep1%26type%3Dpdf+In+Proceedingsof+the+International+Conference+on+Engineering+ComplexComputing+Systems+%28ICECCS+2002%29,+Greenbelt,+MD,December+2002.+ACM+$p$pss.&hl=en&gl=in&pid=bl&srcid=ADGEESjjfqWJhL1iYnn_c8OhK2HkK2Qam-hkfWDW-lpszXERVdAKnjOoEtS_kH9xA8cEWkonK0k1caoTOc-icf8Er25t9x8oBsU2voE4v2YgTwLAHvzPkvundMqGLRz-V00AgbRWAOAe&sig=AHIEtbQJfwI7wDVbjJtSniH3nDrtIDp4rg&pli=1\"相对=nofollow>本文
据我所知，基于角色的访问控制系统是不是用户可分配到的角色，其中角色指定的权限在对象上执行操作
但在asp.net中，我们不指定，在对象上操作我的意思在这里是我们如何可以指定的角色r的所有用户都可以执行删除对象O
哪里是在ASP.Net对象部分

From what i have read from this paper I understand that a role based access control system is one where users can be assigned to roles where roles specify permissions to perform operations on objects But in asp.net we do not specify "Operations on objects", what i mean here is that how can we specify "All users in Role R can perform a delete on object O" Where is the Object Part in ASP.Net

推荐答案

的安全模型是asp.net是pretty有限。在本质上，你只需要在角色级别控制。这意味着对于任何操作必须进行测试以查看用户是否任何要允许执行该操作的角色的

The security model is asp.net is pretty limited. In essence you only have control at the Role level. Which means that for any operation you have to test to see if the user is any of the roles that you want to allow that operation to be performed.

我们定义了我们自己的模式，让更多的粒度的路径。基本上，我们定义的操作和分配这些操作各种角色。这样，如果他们有，我们可以测试一个删除账户右与测试，如果他们是在管理，帐户管理，或任意数量的其他角色。这非常类似于目录如何积极工作。而且它允许我们根据需要重新配置的作用。

We took the path of defining our own model that gives much more granularity. Basically we define operations and assign those operations to various roles. This way we can test if they have a "delete account" right versus testing if they are in "Admin", "Account Admin", or any number of other roles. It's very similar to how Active Directory works. Further it allows us to reconfigure roles as needed.

有一个名为一块授权管理器（AzMan）附带窗户。它可以与您的会员供应商提供运营级别的控制工作。有些人曾与它的成功，但也有人抱怨，这是很难得到工作。我们用它大约5年前的一个项目，当时它的工作时间大约95％。另外5％是有问题的沟通与我们的AD控制器。

There is a piece called Authorization Manager (AzMan) that ships with windows. It can work with your membership provider to provide operation level control. Some people have had success with it, but others have complained that it's difficult to get working. We used it about 5 years ago on a project and at that time it worked about 95% of the time. The other 5% it had communications issues with our AD controller.

这使我们你的问题：是内置在ASP.Net成员资格提供真正的基于角色的访问控制系统？不，它允许您定义的角色，而不是操作。

Which leads us to your question: Is the built in ASP.Net membership provider a true role based access control system? No. It allows you to define Roles, not operations.

这篇关于ASP.NET是基于角色的安全性真正的基于角色的访问控制系统？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！